Does this also happen outside of AFL? Because here clearly RIP got corrupted somehow, maybe a slightly off patch?
-
-
Replying to @_niklasb
For the NET_CloseAllSockets patch, how far into the function should the patch be inserted? Right at the entry point of the function (latest version: 0x00288a50) or should it be further, say after sub esp, 0x10 (0x00288a58)?
1 reply 0 retweets 0 likes -
Replying to @Blurbdust
I'm pretty sure I inserted it right at the beginning. Maybe try a jmp eax instead of call, if stack alignment is a problem.
1 reply 0 retweets 0 likes -
Replying to @_niklasb
No luck on jmp eax ('\xff\xe0'). I added debug statements that write out to a file. When following the afl build_qemu script it creates the file and correctly prints info->entry and entry from the environment variable is null as expected. When using the environment... (1/n)
1 reply 0 retweets 0 likes -
Replying to @Blurbdust @_niklasb
variable AFL_ENTRY_POINT=000012f2 and rebuilding qemu, it also writes out a file with the correct entry point, this case the force value. But when running AFL alone or through your run_afl script, no file is created. I have also tried copying out the exact command and... (2/n)
2 replies 0 retweets 0 likes -
Replying to @Blurbdust
So bspfuzz works by itself, without AFL? Getting it to work should be the first step.
2 replies 0 retweets 0 likes -
Replying to @_niklasb @Blurbdust
AFL_ENTRY_POINT=000012f2 doesn't make sense by the way, it should be an actual absolute address, pointing to the beginning of a basic block.
1 reply 0 retweets 0 likes -
Replying to @_niklasb
In afl_run.sh it sets AFL_ENTRY_POINT to $(nm bspfuzz |& grep forkserver | cut -d' ' -f1) which is always 000012f2 for me.
1 reply 0 retweets 0 likes -
Replying to @Blurbdust
See my other tweet, looks like you have PIE enabled for that binary, should have turned it off explicitly.
1 reply 0 retweets 0 likes -
Replying to @_niklasb
...yup. I disabled ASLR but forgot about PIE. It does still segfault but it at least prints out startpoint() now.
2 replies 0 retweets 0 likes
If you end up with a working http://patch.py for the newest version, feel free to make a pull request that checks the hashes of the files and applies your patches for the corresponding version.
-
-
Replying to @_niklasb @Blurbdust
I'm sure others could find it useful :)
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.